CVE-2023-7335
EduSoho < 22.4.7 Arbitrary File Read via classroom-course-statistics
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC).
| CWE | CWE-22 |
| Vendor | hangzhou kuozhi network technology co., ltd. |
| Product | edusoho |
| Published | Jan 22, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for hangzhou kuozhi network technology co., ltd. edusoho
Be the first to know when new unknown vulnerabilities affecting hangzhou kuozhi network technology co., ltd. edusoho are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Hangzhou Kuozhi Network Technology Co., Ltd. / EduSoho
0 < 22.4.7
References
edusoho.com: https://www.edusoho.com/ github.com: https://github.com/edusoho/edusoho/releases/tag/v22.4.7 cn-sec.com: https://cn-sec.com/archives/2451582.html blog.csdn.net: https://blog.csdn.net/qq_41904294/article/details/135007351 github.com: https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md github.com: https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md cnvd.org.cn: https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903 vulncheck.com: https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics